Skip to content

Latest commit

 

History

History
56 lines (37 loc) · 2.65 KB

072.md

File metadata and controls

56 lines (37 loc) · 2.65 KB

Decent Smoke Owl

High

Bracket and StopLimit contracts are vulnerable to DoS attacks.

Summary

Users can create uncancellable order and brick the Bracket and StopLimit contracts. Both contracts have an upper limit for their pending orders defined in AutomationMaster contract. This will ensure that length of the pendingOrderIds array wont grow indefinitely and it can be traversed with the current gas block limit. Also, the admin can cancel orders if users create inexecutable order which only take space in the array.

But there is case where orders wont be possible to be cancelled by admin when the tokenIn is USDT which will allow users to fulfill the supported amount of orders with order that will never be in range to be executed. For example bracket order for WETH with stopPrice = 0 and takeProfit = 100000 USD

Root Cause

In _cancelOrder() the tokenIn amount is send back to the recipient: order.tokenIn.safeTransfer(order.recipient, order.amountIn)

But this call will always revert for order.recipient = address(0). Here is the _transfer() function of USDT:

function _transfer(address sender, address recipient, uint256 amount) internal virtual {
        require(sender != address(0), "ERC20: transfer from the zero address");
@>      require(recipient != address(0), "ERC20: transfer to the zero address");

        _beforeTokenTransfer(sender, recipient, amount);

        _balances[sender] = _balances[sender].sub(amount, "ERC20: transfer amount exceeds balance");
        _balances[recipient] = _balances[recipient].add(amount);
        emit Transfer(sender, recipient, amount);
    }

And when order is created, recipient can be set to address(0) since there are no constraints.

_cancelOrder(): https://github.com/sherlock-audit/2024-11-oku/blob/ee3f781a73d65e33fb452c9a44eb1337c5cfdbd6/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L501C1-L520C6

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

User create enough orders with recipient set to address(0) to make the length of pendingOrderIds reach AutomationMaster.maxPendingOrders. We assume that this does not lead to DoS and array elements can be traversed within the block gas limit. Admin cannot cancel such orders and can only increase the maxPendingOrders. This process can happen again and again until the size of pendingOrderIds and maxPendingOrders reach numbers for which gas cost to traverse the whole array would be more than the current gas block limit.

Impact

Complete DoS for Bracket and StopLimit contracts.

PoC

N/A

Mitigation

Ensure order recipient to be different than address(0).